SYM_JSTS_0076 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Untrusted user input is being passed directly to the xml2json XML parser without validation or sanitization, which can allow processing of dangerous XML content. This makes the application vulnerable to XML External Entity (XXE) attacks.
Impact
If exploited, an attacker could access sensitive files on the server, perform server-side request forgery (SSRF), or disrupt application behavior by injecting malicious XML. This can lead to data leaks, unauthorized access, or compromise of backend systems.